Only flag empty {} for null-prototype-dictionaries; allow __proto__: null in no-null

Agent-Logs-Url: https://github.com/microsoft/rushstack/sessions/1d063584-7336-4ab7-b4d0-e2a46bebba49

Co-authored-by: dmichon-msft <26827560+dmichon-msft@users.noreply.github.com>

Author: Copilot

eslint/eslint-plugin/src/no-null.ts

@@ -50,6 +50,20 @@ const noNullRule: TSESLint.RuleModule<MessageIds, Options> = {
             return;
           }
 
+          // Is this "__proto__: null" inside an object literal?  This is used to create
+          // an object literal that does not inherit from Object.prototype.
+          if (
+            node.parent &&
+            node.parent.type === AST_NODE_TYPES.Property &&
+            !node.parent.computed &&
+            ((node.parent.key.type === AST_NODE_TYPES.Identifier &&
+              node.parent.key.name === '__proto__') ||
+              (node.parent.key.type === AST_NODE_TYPES.Literal &&
+                node.parent.key.value === '__proto__'))
+          ) {
+            return;
+          }
+
           context.report({ node, messageId: 'error-usage-of-null' });
         }
       }

eslint/eslint-plugin/src/null-prototype-dictionaries.ts

@@ -4,7 +4,7 @@
 import type { TSESTree, TSESLint, ParserServices } from '@typescript-eslint/utils';
 import type * as ts from 'typescript';
 
-type MessageIds = 'error-empty-object-literal-dictionary' | 'error-missing-null-prototype';
+type MessageIds = 'error-empty-object-literal-dictionary';
 type Options = [];
 
 const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> = {
@@ -17,10 +17,7 @@ const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> =
         ' instead of an empty object literal. This avoids prototype pollution, collisions with' +
         ' Object.prototype members such as "toString", and enables higher performance since runtimes' +
         ' such as V8 process Object.create(null) as opting out of having a hidden class and going' +
-        ' directly to dictionary mode.',
-      'error-missing-null-prototype':
-        'Dictionary object literals typed as Record<string, T> should include "__proto__: null"' +
-        ' to avoid prototype pollution and collisions with Object.prototype members such as "toString".'
+        ' directly to dictionary mode.'
     },
     schema: [],
     docs: {
@@ -83,31 +80,12 @@ const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> =
           return;
         }
 
-        // For empty object literals, recommend Object.create(null) which is more performant
+        // Only flag empty object literals; non-empty literals are allowed for now
         if (node.properties.length === 0) {
           context.report({
             node,
             messageId: 'error-empty-object-literal-dictionary'
           });
-          return;
-        }
-
-        // For non-empty object literals, check whether "__proto__: null" is present
-        const hasNullProto: boolean = node.properties.some(
-          (prop) =>
-            prop.type === 'Property' &&
-            !prop.computed &&
-            ((prop.key.type === 'Identifier' && prop.key.name === '__proto__') ||
-              (prop.key.type === 'Literal' && prop.key.value === '__proto__')) &&
-            prop.value.type === 'Literal' &&
-            prop.value.value === null
-        );
-
-        if (!hasNullProto) {
-          context.report({
-            node,
-            messageId: 'error-missing-null-prototype'
-          });
         }
       }
     };

eslint/eslint-plugin/src/test/no-null.test.ts

@@ -49,6 +49,11 @@ ruleTester.run('no-null', noNullRule, {
       // Computed property access: Object["create"](null) is NOT exempted
       code: 'Object["create"](null);',
       errors: [{ messageId: 'error-usage-of-null' }]
+    },
+    {
+      // null on a non-__proto__ property is still flagged
+      code: 'const x = { foo: null };',
+      errors: [{ messageId: 'error-usage-of-null' }]
     }
   ],
   valid: [
@@ -79,6 +84,14 @@ ruleTester.run('no-null', noNullRule, {
     {
       // Object.create(null) inside a function
       code: 'function createDict() { return Object.create(null); }'
+    },
+    {
+      // __proto__: null is allowed in object literals
+      code: 'const obj = { __proto__: null, a: 1 };'
+    },
+    {
+      // __proto__: null as string key is also allowed
+      code: 'const obj = { "__proto__": null, a: 1 };'
     }
   ]
 });

eslint/eslint-plugin/src/test/null-prototype-dictionaries.test.ts

@@ -32,16 +32,6 @@ ruleTester.run('null-prototype-dictionaries', nullPrototypeDictionariesRule, {
       // Return value from function
       code: 'function f(): Record<string, number> { return {}; }',
       errors: [{ messageId: 'error-empty-object-literal-dictionary' }]
-    },
-    {
-      // Non-empty object literal without __proto__: null
-      code: 'const dict: Record<string, string> = { a: "hello" };',
-      errors: [{ messageId: 'error-missing-null-prototype' }]
-    },
-    {
-      // Non-empty object literal with __proto__ set to something other than null
-      code: 'const dict: Record<string, string> = { __proto__: Object.prototype, a: "hello" };',
-      errors: [{ messageId: 'error-missing-null-prototype' }]
     }
   ],
   valid: [
@@ -50,7 +40,11 @@ ruleTester.run('null-prototype-dictionaries', nullPrototypeDictionariesRule, {
       code: 'const dict: Record<string, number> = Object.create(null);'
     },
     {
-      // Correct pattern: non-empty literal with __proto__: null
+      // Non-empty object literal is allowed for now
+      code: 'const dict: Record<string, string> = { a: "hello" };'
+    },
+    {
+      // Non-empty literal with __proto__: null is also fine
       code: 'const dict: Record<string, string> = { __proto__: null, a: "hello" };'
     },
     {